Fix use-after-free on a network error.

When any BPP calls ssh_remote_error or ssh_remote_eof, it triggers an immediate cleanup of the BPP itself - so on return from one of those functions we should avoid going straight to the crFinish macro, because that will write to s->crState, which no longer exists.
2025-01-09 17:38:00 +00:00 · 2018-09-28 11:26:26 +01:00 · 2018-09-28 11:26:26 +01:00 · e857e43361
commit e857e43361
parent ed0104c2fe
4 changed files with 4 additions and 0 deletions
--- a/ssh1bpp.c
+++ b/ssh1bpp.c
@ -245,6 +245,7 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp)
    } else {
        ssh_remote_eof(s->bpp.ssh, "Server closed network connection");
    }
+    return;  /* avoid touching s now it's been freed */

    crFinishV;
 }
--- a/ssh2bpp-bare.c
+++ b/ssh2bpp-bare.c
@ -136,6 +136,7 @@ static void ssh2_bare_bpp_handle_input(BinaryPacketProtocol *bpp)
    } else {
        ssh_remote_eof(s->bpp.ssh, "Server closed network connection");
    }
+    return;  /* avoid touching s now it's been freed */

    crFinishV;
 }
--- a/ssh2bpp.c
+++ b/ssh2bpp.c
@ -516,6 +516,7 @@ static void ssh2_bpp_handle_input(BinaryPacketProtocol *bpp)
    } else {
        ssh_remote_eof(s->bpp.ssh, "Server closed network connection");
    }
+    return;  /* avoid touching s now it's been freed */

    crFinishV;
 }
--- a/sshverstring.c
+++ b/sshverstring.c
@ -396,6 +396,7 @@ void ssh_verstring_handle_input(BinaryPacketProtocol *bpp)
  eof:
    ssh_remote_error(s->bpp.ssh,
                     "Server unexpectedly closed network connection");
+    return;  /* avoid touching s now it's been freed */

    crFinishV;
 }